RealTime IT News

IE Overhaul Part of Windows XP SP2

Microsoft's soon-to-be-released service pack for Windows XP will come with a major security-centric overhaul to the company's flagship Internet Explorer browser, including a new add-on management and crash detection tool and several modifications to the browser's default security settings.

According to a document spelling out the implications of the XP changes for developers, Microsoft said the browser will be updated dramatically in order to thwart malicious hacking attempts and to offer a more secure browsing experience.

First up is a major change to the way security policies are applied to deal with ActiveX Controls, the technology that is automatically downloaded and executed by the browser. ActiveX vulnerabilities are often found in IE; Microsoft said XP SP2 will apply security policies consistently at the source of the URL binding: URLMON.

"In the case of ActiveX controls, the ActiveX security model allows controls to be marked as 'safe for scripting' or 'safe for initialization' and provides users with the ability to block or allow ActiveX controls by zone, based on those settings," Microsoft explained. In earlier Windows versions, the software giant said the security framework was not applied in all cases where URL binding took place.

"Instead the calling code was responsible for assuring the integrity and security of the control, which could often result in security vulnerabilities. There are now a number of public exploit variations that exploit this exact issue by going through Internet Explorer to compromise vulnerabilities in the calling code, the company warned.

Once XP Service Pack is released (expected in the second quarter next year), Microsoft said IE will be tweaked to follow stricter rules to reduce the risk of attacks via MIME (Multipurpose Internet Mail Extensions) Handling . In the modified browser, IE will require that all file-type information provided by Web servers be consistent to avoid spoofing of the MIME-handling logic.

"If the MIME type of a file is "text/plain" but the MIME sniff indicates that the file is really an executable file, Internet Explorer (will) rename the file by saving the file in the (IE cache) and change its extension," the company said.

Microsoft also plans to modify the browser in Windows XP Service Pack 2, in order to let all local files and content that are processed by IE have the security of the Local Machine zone applied to it. This is a significant difference from earlier IE versions where local content was said to be secure but had no zone-based security placed on it.

The updated IE will also block access to objects cached from Web sites. Script-initiated windows with the title bar and status bar would be constrained in scripted movement to ensure that "important and informative bars" remain visible after the operation completes. Microsoft has made this change to block scripts from positioning Web windows so that the title bar or address bar are above the visible top of the display.

A brand-new feature in the Windows XP SP 2 is an Internet Explorer Add-on Management tool that lets users view and control the list of add-ons that can be loaded by the browser. The add-on management feature also shows the presence of some add-ons that were previously not shown and could be very difficult to detect.

The company has also integrated an add-on crash detection feature in IE to detect browser crashes that are related to an add-on. When the add-on is successfully identified, IE will then present the information and give the user the option of disabling add-ons in order to diagnose frequent crashes and improve the overall stability of the browser.

The IE tweaks also include a Pop-Up Manager that blocks unwanted pop-up windows from launching. As previously reported, Microsoft will make the move to block the ad format and also tweak the browser to allow end users and IT admins to let specific domains launch programmatic pop-up windows.

Internet Explorer will also be fitted with a new Authenticode feature that lets surfers block content from a specific publisher from installing or running. A 'Never Trust Content' check box will be included in the Authenticode dialog box to let a user decide whether to block code that is identified with the publisher's digital signature.

The IE security makeover comes as part of a major overhaul to the Windows XP operating system which will include the ability to monitor browsing, e-mail and instant messaging for malicious attachment or code.

Microsoft confirmed the XP update will disable unnecessary services that open ports to potential hacks by worms or spam and include protection against the ubiquitous buffer overflows, the most common software security flaw. New compiler technology will be added to XP to detect buffer overruns and stop malicious code from running on the computer.